1. Contact Information 



Department of State Privacy Coordinator 

Margaret P. Grafeld 

Bureau of Administration 

Global Information Services 

Office of Information Programs and Services 



2. System Information 

(a) Date PIA was completed: July 1 6, 2009 

(b) Name of system: Voyager 

(c) System acronym: Voyager 

(d) IT Asset Baseline (ITAB) number: 501 

(e) System description (Briefly describe scope, purpose, and major functions): 

Voyager is a commercial off the shelf based integrated library management system used 
to track items owned, books patrons have borrowed and allows for better inventory 
control of library's collection. 

(f) Reason for performing PIA: 
New system 

Significant modification to an existing system 
[X] To update existing PIA for a triennial security re-certification 

(g) Explanation of modification (if applicable): 

(h) Date of previous PIA (if applicable): April 23, 2009 

3. Characterization of the Information 

The system: 

Does NOT contain Pll. If this is the case, you must only complete Section 13. 



M Does contain Pll. If this is the case, you must complete the entire template. 

a. What elements of Pll are collected and maintained by the system? What are 
the sources of the information? 

The system collects: names, bureau, room and building numbers, office or cell phone 
number, and DoS email address. Retirees are required to supply an email address or 
home address. Interns are asked to supply the name and phone number of their 
supervisor. The Patron can voluntarily supply alternative contact information such as 
personal email and or home address, or phone number. The system also maintains 
current patron circulation records (i.e. information that connects individual persons with 
specific books or other library materials). 

The source of information is: 



B-1 



• DOS employees 

• FSI Student 

• Interns 

• Retirees 

• Personnel on temporary assignment 

b. How is the information collected? 

The information is collected from the individual when they complete the Patron 
Information Form. 

c. Why is the information collected and maintained? 

Information is collected to maintain an inventory of the library collection and track 
overdue books. 

d. How will the information be checked for accuracy? 

The individuals are expected to provide accurate information. Information is checked 
against the Global Address List, if discrepancies arise. 

e. What specific legal authorities, arrangements, and/or agreements define the 

collection of information? 

5U.S.C. 301 

f. Privacy Impact Analysis: Given the amount and type of data collected, discuss 

the privacy risks identified and how they were mitigated. 

The system collects the minimum amount of personally identifiable information required 
to meet the statutory requirements. Privacy risks are minimal. 

4. Uses of the Information 

a. Describe all uses of the information. 

The information will be used to maintain inventory, check out library materials, and send 
overdue and other notices to patrons. 

b. What types of methods are used to analyze the data? What new 
information may be produced? 

No methods are used to analyze the data. Any analysis is transaction-based without 
any Pll included in the reports. 

c. If the system uses commercial information, publicly available information, or 
information from other Federal agency databases, explain how it is used. 

No commercial information, publicly available information or information from other 
Federal agencies is used by this system. 

d. Is the system a contractor used and owned system? 
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Voyager is a commercial off the shelf product and is the property of the Bureau of 
Administration. 

e. Privacy Impact Analysis: Describe the types of controls that may be in place 
to ensure that information is handled in accordance with the above uses. 

The information is only accessible by appropriate and authorized library staff. In addition 
to the standard DoS IT security for access to OpenNet, the software includes several 
layers of internal security which is managed by only library employees. The system has 
transaction logs that document access. 

5. Retention 

a. How long is information retained? 

The patron record is retained as long as the patron is an active user. Accounts without 
any activity during the past three years are purged. 

b. Privacy Impact Analysis: Discuss the risks associated with the duration that 
data is retained and how those risks are mitigated. 

The information will not be maintained longer than needed. There are minimal risks. 

6. Internal Sharing and Disclosure 

a. With which internal organizations is the information shared? What 

information is shared? For what purpose is the information shared? 

No information is shared with internal organizations. 

b. How is the information transmitted or disclosed? What safeguards are in 
place for each sharing arrangement? 

Not applicable 

c. Privacy Impact Analysis: Describe risks to privacy from internal sharing and 
disclosure and describe how the risks are mitigated. 

Not applicable 
7. External Sharing and Disclosure 

a. With which external organizations is the information shared? What 

information is shared? For what purpose is the information shared? 

No information is shared with external organizations. 

b. How is the information shared outside the Department? What safeguards are 
in place for each sharing arrangement? 

No information is shared outside the Department. 

c. Privacy Impact Analysis: Describe risks to privacy from external sharing and 
disclosure and describe how the risks are mitigated. 
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Not applicable 

8. Notice 



The system: 

K Constitutes a system of records covered by the Privacy Act. 
System of Records Notice State-31 Human Resource Records 



Does not constitute a system of records covered by the Privacy Act. 



a. Is notice provided to the individual prior to collection of their information? 

Notice is provided through System of Records Notice State-31, Human Resource 
Records. 

b. Do individuals have the opportunity and/or right to decline to provide 
information? 

The individual has the right to decline but the information is required in order to check 
out materials from the library. Individuals will be able to use library materials within the 
library. 

c. Do individuals have the right to consent to limited, special, and/or specific 

uses of the information? If so, how does the individual exercise the right? 

No. There are no uses for the information other than for using the library system. 

d. Privacy Impact Analysis: Describe how notice is provided to individuals and 
how the risks associated with individuals being unaware of the collection are 
mitigated. 

Patrons are given notice prior to the collection of information. There are minimal risks. 

9. Notification and Redress 

a. What are the procedures to allow individuals to gain access to their 

information and to amend information they believe to be incorrect? 

Patrons can elect to have access to their own electronic patron record and can change 
it. A patron must establish an account with a PIN in order to access his or her patron 
record online. In order to manage the electronic patron record, a patron must log on with 
account ID and PIN. A patron can access his or her account only. Alternatively, they 
can contact the Library and Library staff will make the changes. This information is 
available on the Patron Information Form. 

b. Privacy Impact Analysis: Discuss the privacy risks associated with 
notification and redress and how those risks are mitigated. 

There are minimal privacy risks. 

10. Controls on Access 
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a. What procedures are in place to determine which users may access the 

system and the extent of their access? What monitoring, recording, and 
auditing safeguards are in place to prevent misuse of data? 

All users maintain a least a public trust clearance in order to gain access to the 
Department's unclassified computer network. To access records in Voyager, the 
individual must first be an authorized user of the Department's unclassified computer 
network. Each prospective authorized user must first sign a user access agreement 
before being given a user account. The individual's supervisor must sign the agreement 
certifying that access is needed in order for the individual to perform his or her official 
duties. The user access agreement includes rules of behavior describing the individual's 
responsibility to safeguard information and prohibited activities (e.g. curiosity browsing). 

Only Library staff with the client software physically installed on their desktops can 
access the patron records. Only staff that needs access to the patron records is granted 
that access by the security system within the software. Only specially-trained Library 
staff has access to the internal security system. 

b. What privacy orientation or training for the system is provided authorized 

users? 

Privacy of patron information is a long-standing tenet of librarianship and is integral to all 
library training for both technicians and degreed-librarians. Library staffs are trained on 
privacy issues as part of the training required before staff can access the system. 

c. Privacy Impact Analysis: Given the sensitivity of Pll in the system, manner of 

use, and established access safeguards, describe the expected residual risk 
related to access. 

There is minimal or no expected residual risk. 

11. Technologies 

a. What technologies are used in the system that involves privacy risk? 

There are no technologies associated with this system that involve privacy risk. 

b. Privacy Impact Analysis: Describe how any technologies used may cause 
privacy risk, and describe the safeguards implemented to mitigate the risk. 

Not applicable. 

12. Security 

What is the security certification and accreditation (C&A) status of the system? 

C&A not required. 
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